Switch ACL purpouse
HI,
reading this article https://www.tp-link.com/en/support/faq/3091/, it says to use "Switch ACL" to block routing through vlans.
My stupid question is: why would I explicitly block switching between vlans using ACLs? Shouldn't communication between ports with different VLANs already be prevented by vlan nature itself? What i'm missing?
Thanks.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Intervlan routing is allowed by default at switch side? Also at gateway side?
If i need stateful acl, i need to use acl gateway? And if i use acl gateway i need to also block intervlan at also switch side?
Sorry but i'm confused and didn't found clear documentation about ACLs i omada controller.
- Copy Link
- Report Inappropriate Content
Antony23 wrote
Intervlan routing is allowed by default at switch side? Also at gateway side?
If i need stateful acl, i need to use acl gateway? And if i use acl gateway i need to also block intervlan at also switch side?
Sorry but i'm confused and didn't found clear documentation about ACLs i omada controller.
Correct about your statements. If you have gw ACL, you don't need SW ACL unless you need something else to make it up when some types are not supported.
- Copy Link
- Report Inappropriate Content
Thanks for answer.
But what i woud like to know is if using gw acl the traffic is routing at gateway phisical port or at switch ports.
That's because in router on a stick setup (switch woth vlans -> gateway) if it happens at gw port, the data link between switch and gateway will be shared amoung wan and intervlan traffic. So, if i should have huge data traffic beetwen vlans this will decrease wan bandwidth.
- Copy Link
- Report Inappropriate Content
Please, can someone explain me?
If, as it seems, switch allow ip traffic to route between vlans by default, if i block intervlan routing at gateway side with gateway ACL (LAN-LAN direction), routing between vlans will continue to work at switch side? If not, why?
- Copy Link
- Report Inappropriate Content
Antony23 wrote
Please, can someone explain me?
If, as it seems, switch allow ip traffic to route between vlans by default, if i block intervlan routing at gateway side with gateway ACL (LAN-LAN direction), routing between vlans will continue to work at switch side? If not, why?
No. Because you block it from layer three like Clive said in the old posts.
Vlan interface was originated from gateway level and you don't have access if you block from layer three.
Don't see why you keep asking while you can test this out real quick.
My best suggestions for you is to learn about the OSI and get to know the basic knowledge of networking. Don't expect or count on others.
Or just ring the support instead of waiting here.
- Copy Link
- Report Inappropriate Content
Hi,
maybe my bad english was not suffcient to explain me good. Stay quite, i know OSI and base of networking, i'm sw developer but not completely networking savvy.
I cannot test by myself, i'm new in omada, and before i going to buy equipments i would know if them can suite my needs.
What i wrongly understood, is that layer 2 switches in omada was able to do inter-vlan routing without the need of a layer 3 device, such as gateway. That's because of faq 3091 that use switch ACL instead of router/gw ACL firewall, and above all reading old reddit threads that let me misanderstanding the things.
Now i understand that LAN-LAN ACL on omada was introduced one year ago. And after let testing a friend omada equipments, i understood that L2 switch can't do inter-vlan routing without an L3 device, as it right to be.
Now that i understood how things are, i anyway would ask you:
1. Why, in the gw, we cannot specify ACL for different LAN gw ports? As i see in emulator, we can just apply ACLs to LAN-LAN or LAN-WAN, but them are apllied to all LAN ports of the gateway, i suppose.
2. Why, with LAN-LAN ACL on gw side, we cannot use ip groups? I cannot understand, anyway, if this is a limitation on controller mode or if it also works this way in standalone mode.
Thanks a lot.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 524
Replies: 6
Voters 0
No one has voted for it yet.